[o11c]

> I still don't know why apps think a device I carry in the streets is safer [...]

Because MFA requirements have never been about security, only security theater. It's the modern version of the "you must change your password every 30 days" rule.

[lcnPylGDnU4H9OF]

On the contrary, single-factor authentication is generally fine (MFA is still better, of course) if the single-factor is an authenticator application or, better yet, a U2F hardware key. If anything in modern web security is theater, it is the password (and SMS MFA but that's because SMS is a joke to takeover).

[notTooFarGone]

wild take here.

MFA is like infinitely more secure than your username/pw that Tim from accounting writes on his notes and reuses the same password everywhere.

How is that not common knowledge?

[p0sixlang]

Wat? If my laptop gets infected and the bad actor tries to access my (insert account protected with MFA here), their ability to do harm is limited by spreading things across two devices.